# {{ ansible_managed }}

# Configuration File - Nginx Server Configs
# http://nginx.org/en/docs/dirindex.html

{% block modules_enabled -%}
include modules-enabled/*.conf;
{% endblock %}

{% block user %}
# Run as a unique, less privileged user for security reasons.
# Default: nobody nobody
user {{ nginx_user }};
{% endblock %}

{% block worker %}
# Sets the worker threads to the number of CPU cores available in the system for best performance.
# Should be > the number of CPU cores.
# Maximum number of connections = worker_processes * worker_connections
# Default: 1
worker_processes auto;

# Maximum number of open files per worker process.
# Should be > worker_connections.
# Default: no limit
worker_rlimit_nofile 8192;
{% endblock %}

{% block events %}
events {
  # If you need more connections than this, you start optimizing your OS.
  # That's probably the point at which you hire people who are smarter than you as this is *a lot* of requests.
  # Should be < worker_rlimit_nofile.
  # Default: 512
  worker_connections {{ nginx_worker_connections }};
}
{% endblock %}

{% block error_log %}
# Log errors and warnings to this file
# This is only used when you don't override it on a server{} level
# Default: logs/error.log error
error_log  {{ nginx_logs_root }}/error.log warn;
{% endblock %}

{% block pid %}
# The file storing the process ID of the main process
# Default: nginx.pid
pid        /run/nginx.pid;
{% endblock %}

http {
  {% block http_begin %}
  map $upstream_cache_status $header_x_cache_enabled {
    default true;
    BYPASS  "";
  }

  map $server_addr:$remote_addr $is_loopback_request {
    "~^([^:]+):\1$" 1;
    default         0;
  }

  map $is_loopback_request:$header_x_cache_enabled $loopback_header_x_cache_enabled {
    default "";
    1:true  true;
  }
  {% endblock %}

  {% block server_tokens -%}
  # Hide nginx version information.
  # Default: on
  server_tokens off;
  {% endblock %}

  {% block cache -%}
  # Setup the fastcgi cache.
  fastcgi_buffers {{ nginx_fastcgi_buffers }};
  fastcgi_buffer_size {{ nginx_fastcgi_buffer_size }};
  fastcgi_read_timeout {{ nginx_fastcgi_read_timeout }};
  fastcgi_cache_path {{ nginx_cache_path }} levels=1:2 keys_zone=wordpress:{{ nginx_cache_key_storage_size }} max_size={{ nginx_cache_size }} inactive={{ nginx_cache_inactive }};
  fastcgi_cache_use_stale updating error timeout invalid_header http_500;
  fastcgi_cache_lock on;
  fastcgi_cache_key $realpath_root$scheme$host$request_uri$request_method$http_origin$http_x_http_method_override;
  fastcgi_ignore_headers Expires Set-Cookie;
  fastcgi_pass_header Set-Cookie;
  fastcgi_pass_header Cookie;
  {% endblock %}

  {% block mime_types -%}
  # Specify MIME types for files.
  include       h5bp/mime.types;

  # Default: text/plain
  default_type  application/octet-stream;
  {% endblock %}

  {% block charset_types -%}
  # Update charset_types to match updated mime.types.
  # text/html is always included by charset module.
  # Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml
  charset_types
    text/css
    text/plain
    text/vnd.wap.wml
    application/javascript
    application/json
    application/rss+xml
    application/xml;
  {% endblock %}

  {% block log_format -%}
  # Include $http_x_forwarded_for within default format used in log files
  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';
  {% endblock %}

  {% block access_log -%}
  # Log access to this file
  # This is only used when you don't override it on a server{} level
  # Default: logs/access.log combined
  access_log {{ nginx_logs_root }}/access.log main;
  {% endblock %}

  {% block keepalive -%}
  # How long to allow each connection to stay idle.
  # Longer values are better for each individual client, particularly for SSL,
  # but means that worker connections are tied up longer.
  # Default: 75s
  keepalive_timeout 20s;
  {% endblock %}

  {% block sendfile -%}
  # Speed up file transfers by using sendfile() to copy directly
  # between descriptors rather than using read()/write().
  # For performance reasons, on FreeBSD systems w/ ZFS
  # this option should be disabled as ZFS's ARC caches
  # frequently used files in RAM by default.
  # Default: off
  sendfile        on;
  {% endblock %}

  {% block tcp_nopush -%}
  # Don't send out partial frames; this increases throughput
  # since TCP frames are filled up before being sent out.
  # Default: off
  tcp_nopush      on;
  {% endblock %}

  {% block compression -%}
  # Compression

  # Enable gzip compression.
  # Default: off
  gzip on;

  # Compression level (1-9).
  # 5 is a perfect compromise between size and CPU usage, offering about
  # 75% reduction for most ASCII files (almost identical to level 9).
  # Default: 1
  gzip_comp_level    5;

  # Don't compress anything that's already small and unlikely to shrink much
  # if at all (the default is 20 bytes, which is bad as that usually leads to
  # larger files after gzipping).
  # Default: 20
  gzip_min_length    256;

  # Compress data even for clients that are connecting to us via proxies,
  # identified by the "Via" header (required for CloudFront).
  # Default: off
  gzip_proxied       any;

  # Tell proxies to cache both the gzipped and regular version of a resource
  # whenever the client's Accept-Encoding capabilities header varies;
  # Avoids the issue where a non-gzip capable client (which is extremely rare
  # today) would display gibberish if their proxy gave them the gzipped version.
  # Default: off
  gzip_vary          on;

  # Compress all output labeled with one of the following MIME-types.
  # text/html is always compressed by gzip module.
  # Default: text/html
  gzip_types
    application/atom+xml
    application/javascript
    application/json
    application/ld+json
    application/manifest+json
    application/rss+xml
    application/vnd.geo+json
    application/vnd.ms-fontobject
    application/x-font-ttf
    application/x-web-app-manifest+json
    application/xhtml+xml
    application/xml
    font/opentype
    image/bmp
    image/svg+xml
    image/x-icon
    text/cache-manifest
    text/css
    text/javascript
    text/plain
    text/vcard
    text/vnd.rim.location.xloc
    text/vtt
    text/x-component
    text/x-cross-domain-policy;

  # This should be turned on if you are going to have pre-compressed copies (.gz) of
  # static files available. If not it should be left off as it will cause extra I/O
  # for the check. It is best if you enable this in a location{} block for
  # a specific directory, or on an individual server{} level.
  # gzip_static on;
  {% endblock %}

  {% block http_includes_d -%}
  include includes.d/http/*.conf;
  {% endblock -%}

  # Add Access-Control-Allow-Origin.
  # h5bp/directive-only/cross-origin-requests.conf
  map $sent_http_content_type $cors {
    # Images
    image/bmp     "*";
    image/gif     "*";
    image/jpeg    "*";
    image/png     "*";
    image/svg+xml "*";
    image/webp    "*";
    image/x-icon  "*";

    # Web fonts
    font/collection               "*";
    application/vnd.ms-fontobject "*";
    font/eot                      "*";
    font/opentype                 "*";
    font/otf                      "*";
    application/x-font-ttf        "*";
    font/ttf                      "*";
    application/font-woff         "*";
    application/x-font-woff       "*";
    font/woff                     "*";
    application/font-woff2        "*";
    font/woff2                    "*";
  }

  include h5bp/directive-only/cache_expiration.conf;

  {% block sites_enabled -%}
  # Include files in the sites-enabled folder. server{} configuration files should be
  # placed in the sites-available folder, and then the configuration should be enabled
  # by creating a symlink to it in the sites-enabled folder.
  # See doc/sites-enabled.md for more info.
  include sites-enabled/*.conf;
  {% endblock %}
}
